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Key EQerarchy and Method and Apparatus for Handling the Same 
Field of the Invention 

5 The pgnfesent invOTtion xdates to a key Weiarcky for use, fiar example, in protectiBg sexisitive 
data used by a trusted platfbnn; the present invention also relates to a method and 
apparatus for handling such a key hierarchy. 

Background of the Invention 

1 0 TCPA teghnology is specified in the TCP A specifications and described, for example, in 
the book "trusted cp^xiputiwg platforms — tcpa technology in context"; Pearson (editor); 
Prentice HaU; ISBN 0-13-009220-7". 



A trusted platform built according to today's TCPA specifications will incorporate a 
trusted platform subsystem typically comprising a Trusted Platform Module (TPM) in the 
form of a hardware chip separate &om the main CPU!, a Root of Trust for Measurement 
(RTlvO formed by the first software to run during the boot process, and support software 
tetmed the Trusted platform Support Service (TSS) which perfoims various functions such 
35 £hQ$e nepessaiy for oommunication with the rest of the platform. In a PC, the RTM will 
typically be founded i^an BIOS instructions that cause the main platform processor to do 
RTM work; this set of instructions is called the Core Root of Trust for Measurement 
(CRTM) for convemonce. 

The RTM and associated mea^izrcpcaent agents carry out integrity measurements (integrity 
25 metrics) on the platform at various sta^s and store the results in a measurement log in 
ordinary memory; however, a condensed sununaiy is also stored in Platform Configotation 
Registers (PCRs) of the TPM, 

In addition to the PCRs^ the TPM comprises a processor and various cryptographic 
30 fitactidn^ ^$ well as memory for permanently holding secrets such as the private TPM 
endorsement key and the storage root key (SRK). With regard to the SRK, the TPM 
Supports a Protected Storage mechanism in the fonn of a hierarchy (tree) of data objects the 
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rootcfwhichismeSRK; apartfenn theSRKthatispcniiflneiitly stor^ mihelPM(ai«l 
not rrfeased from it), the tree can be stored outside of die TPM. Each intermediate node 
object in ihe tree is encrypted by a key in the node object above it in the tree (the parent 
node), all the back to the SRK root node, key has an associated aiilhorisatian 
5 valoB tm raust be presented to flie TPM (or, more accurately, used in a protocol that 
prt ves Jaiowledge of the value without revealing liie value) before the TPM pennits tiie 
key to be iised. Ihtennediatc nodes in the tree will always be keys but leaf nodes can be 
aibitraiy data (though iTequen,tly they will also be keys, such as symmetric keys for use by 
appHcation processes in protecting bulk data). Keys in the tree can either be '■non- 
10 mignitable- meaning that the private key is only known to the TPM, or "migratable" 
meaning that Hiere is no guarantee about the origin and use of the private key. 

Access to beys in Ihe key hierarchy (and thus to the data protected by the keys) can be 
made dependent on the current state of theplatfonn as indicated by the values held in the 

15 PCRs. The relevant TCPA fimctions are "TPM.Seal" and TPM_Extend which enable a 
TPM to conceal decryption keys unless tlis value of cuiientPCR is the same as stoiedPCR. 
values. Ibis sealing process C'Seal") enables enforcement of the software environment 
(PCRa)thatmustexistbefQredatacanberevealed, andsimultaneonslyprovidesamethod 
of concealing data (because 1iie TPM releases a decryption key) until that enviromnent 

20 exists. Seal is therefore an access control that depends on^eprevzous stateof aplatfonn 
(represented in terms of PC3ls). Seal pemiits the creator of data to dictate the software 
environment that must exist in a platform whcai the data is used 

A trusted platform bmlt according to today's TCPA specifications can be relied i^n to 
25 storesecrets.provideaplatfbmiidenti1y. and reKably report the Operatmg System (OS) in 
aplatfoim. Common operating systems cannot be relied i^n to protect secrirts once th^ 
havebeen revealed to theplatfotm'ssofhva^nortor^c^onwhathas happened sn^ 
OS took control of the platform. This is because these OS's cannot be reUed upon to 
reliably measure and store integrity metrics in&e TPM's PCRs. It's notthat common OSs 
30 can't measure and store integrity metrics, it's that they cannot protect themselves against 
subversion, so integrity metrics can't be trusted if they were stored after the OS was 
loaded. One conscqiience of the lack of trustworthiness of the OS is that the sealing 
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process described above has limited value in platforms with existing conventional OSs, 
because they cannot be x^Ued upon to reliably measure and store integrity metrics in the 
TPM^sPCRs. 

5 Thus, aurecLt trusted platfonns are limited because today's Core Root of Trust of 
Measuraoicnt (CRTM) is in a relatively ujoprotected BIOS chip, and because Operating 
Syfiteois are in^iiffidieiitly protected against subversioTu NeverflielcsSs all flanctions that sere 
provided by a TPM are fiilly protected, and if the platfonn's pre-boot enviromnent 
(especially its BIOS Boot Block, acting as the TCPA Core Root of Trust for Measurement) 
10 ' h pcop^ly di^sigaed, all operations ^t executed before the OS can be &ithfully recorded 
intheTPM'sPCRs. 

If the software on a platform is written to take advantage of the processing "rings" (levels 
of privilege) on processors (such as Intel processors), that sofbvare can use these rings to 

15 protect itself a^TjJSft subversion. A secure compartment-OS that is protected by virtue of 
these processing rings can dy^arnically create and destroy isolated software compartments. 
Applications then execute in isolated compartments, which protect the application from 
other applications^ and visa versa. Each compartment provides and protects access to the 
sccarcts belonging to the s^lication in the compartment. In servers, or peer-to-peer 

20 systems, trusted ^plications can talk to each other, whether fhey are in other compartments 
on the same platform or in oompaitments in other platforms. One important feature of this 
type of processing is that it prevents even the plat£6nn*5 administrator firom violating the 
privacy of an application and data. 

25 It is an object of the present invention to facilitate the use of piotectedprocesses in trusted 
platforms and, in particular, the release of keys to such processes. Howev^, the present 
tnveafion has wider £^plication and is not to be limited in scope by the foregoing objective. 

Snmrnar y of the Invention 

30 The present invention is based in part on the observation that previous platfbnn history is 
irrelevant for protected sofbvare provided that all traces of previous software have been 
unloaded or existing software is benign (such as a protected compartment OS). In these 
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cases^ "the qp^tion of protected software is imafiected by software that previously 
executed on the platfoim. The decision to release secrets for use by protetsted software can 
thi^eft>re he made purely on the basis of knowmg what protected software is about to be 
executed. So^ if a TPM 'Toiows" that protected software is about to be started, and is 
5 presented with a digest of that software, the TJ?M can safely release the secrets for that 
protected software. 

Li its broader aspects^ the present invention is conceded with the mechanism used to 
ensure that only secrets a^^oqialed with a protected process are released by the TPM. This 
10 mechanism involves the use of a "dynamic root key" that is associated with the protected 
process to be run, the key itself forming pait of the key hierarchy stored in Ptotected 
Storage. When a protected process is nm (or about to be run) ^ the associated dynamic root 
key is installed in the TPM to act as the root of a hierarchy of (external) data objects 
instead of the SRK. Access to parts of the key hierarchy that require ascent fixim the 

1 5 dynamic toot key is prohibited. To ensure that the process associated with a dynamic root 
key is the expected protected process^ activation of the dynamic root key in the TPM 
pi;efBrably requires the presentation of an authorisation value that is, for example, a digest 
of the protected process. When the TPM loads a dynamic root bey, the TPM unloads any 
existing keys (including: any previous dynamic root key), invalidates any keys that might 

20 have bee^a Cfiched outside the TPM« and uses the new dynamic root key instead of the 
Storage Root Key. The TPM continues to use thenew dynamic root keyinstead of the SRK! 
until a new d3niamic root key is loaded or until the TPM is tiestarted. 

Once a dynamic root key has been loaded^ it or its tree of data obj ects can be used to store 
25 keys that protect senstdve data belonging to the protected process. 

Althou^ the piesmt invention has been outlined above in the context of the TCPA 
andiitectuxe, it is of broader ^yplication* 

30 More particularly, according to one aspect of the present invention, ttierBis provided atree- 
stnictured key hierarchy widi multiple nodes serving as root nodes dividing the hierarchy 
into differeat parts only accessible ftom corresponding root nodes. 
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Awording to another aspect of the ijresent invention, there is provided processmg 
apparatus comprising akq^-handHngmitforhandlinga tree-stmcturedke^ the 
key^handling unit being arranged to treat a selected node of the hierarchy a$ die curreiit: 
S rootnodesnchlfaattfaDsepaTtsofthehierarcIiy that can only be reached by ascent dGrom the 
ourrent root node are inaxx:essible, the key-handling unit inchiddng an arrangement far 
ohmigmg the node of the hierarchy serving as said cutxent root node. 

The present invention also contemplates a method of managing a tree-structured hierarchy 
10 corresponding to that iinpleniented by the foregoing apparatus. 

Brief Description of the Drawmgs 

Embodiments of the invention will now be described, by way of non-limiting example, 
with reference to the accompanying diagrammatic drawings, in which: 
15 - Figure 1 is a diagram of key hierarchy associated with a Trusted Platform Module; 
. Figure 2 is a diagram indicating the contents of a dj^axnic root key object of the 

Figure 1 key hierarchy; 
* Figure 3 is a diagram illustrating trusted platform elements involved in starting a 

protected prpcess; and 

20 . Figured is a diagram illustrating certain stages in the activation of a d>namic root 
key associated with the Figure 3 protected process. 

Best Mode of Carrying Out the loventioii 

Figure 1 ilhi^ates a trusted Platform Module ^TPM) I Owhfa its normal Protected Storage 
Z5 data-object hierarchy 12 (also referred to below as a key hieraxdiy). The TPM's Storage 
KootKey (SRK) 1 1 resided permanently inside the TPM 10. Th^ SRK 11 is used to encrypt 
C Wp") keys Kl-1, Kl-2, Kl-3 etc. that form the next level of the hierarchy. Key Kl-1, 
which in this cast is a non-migratable key. itself wraps fuilber keys K2-1 , K2-2, etc. The 
hatched outer ammlus around each key in the Figure 1 key hierarchy 12 is a graphical 
30 indication that each key is wrapped (encrypted). A key in the hierarchy 12 can only be 
decrypted by the TPM 1 0 upon presentation to the latter of authorizations in respect of the 
ancestor keys in the hierarchy. 
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In the present example. Key K2-1 is a "dynamic root object** 16. The dynamic ZDOtitey 
16 can be the chfld of any non-migratable node in the key hierarchy 12; for example, the 
dynamic coot k^ 16 could be a child of the SUK 11 rather fhan ofkeyKl-1 as illustrated. 
5 As will be described below, the dynainic root key 16 acts as the root of a hierarchy of 
(external) data objects instead of the SRJK, in respect of an associated protected process. 

The alandaid TCPA dsBnition of akey is: 
typedef struct tdTCPA_KEY{ 
10 TCPA^VERSIONvcar, 

TCPA_KEY_USAGE keyUsage; 
TCPA_KEY_ELAGS keyFlags; 
TCPA_AUTH:_DATA_USAGE authDataUsage; 
TOPAJECEYLPARMS algorithmPainis; 
15 UINT32 PCRlhfoSize; 

BYTE* PCRInfo; 

TCPA_STORE_^PUfiKEY pubKley; 
UINT32 encSize; 

[si2e_is(encData)] BYTE* encData; 
20 }TCPA_KEY; 

la fact, only the data in "encData^* is encrypted (wrapped) by the key above in the key 
hierarchy, the other data being in cleaitext (though any changes are detectable as a digest of 
that data forms part of the encrypted data). 

25 The keyFlags variable is a structore that mdicales Boolean properties of the key, currently 
redirection, migcatable^ and volatileKey. 

In Order to support djiioainic root keys, accordhie to the present embodiment, a new key 
flag DRK (dynamicRootK^) is added to KeyFlags. If the TPM 10 receives a "create key" 
30 coontiand with a TCPA_KEY stracturts ^ere the DRK flag is set, the TPM 10 
automatically creates a dynamic root key without any change to the existing key creation 
functionality of the TPM. 
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Figure 2 illustrates the data strocture of a dynamc root key, such as key 1 6, created by the 
TPM 1 0; as can be seen, the keyflags data 1 S includes the DRK flag 1 9 which is in its *set' 
state- The dynamic root key 1 6 also includes an authoiisation value 1 7 which forms part of 
5 the encrypted data bx "encData**; m the present case where the key 16 is a dynamic toot 
key, the authorisation value 1 7 is the digest of a protected process (that is, a process that 
cither protects itself or is protected by another entity, fix)m subvexsion). The digest is 
creating by processing with a hash algorithm the digital d3ta that represents the protected 
process.. 

10 

Rather than the TPM 10 creating a dyoanuc root key on the basis of the state of the DRKl 
flag in a TCPA_KBY structure associated with a "create key** command, a separate flag 
could be added to the command itself to indicate that the new key is a dyoamic root key. 

IS Whenever the TPM loads a key for which the DRK flag 1 9 is set, it knows that the key is a 
dynamic root key and proceeds accordingly, as described below. 

Figure 3 illustrates the trusted platform elements involved in starting a protected process 25 
such as may be formed by a secure-compartment OS . The TPM 1 0 of the trusted platform 
20 is shown in its condition prior to the activation of the protected process 25 with its SSK 1 1 
forming the root of the available key hierarchy 12 held in E^tected Storage 23 that is 
physically stored in normal memory 22- 

ARoot of Trust (RT) 20 is responsible for activating the protected process 25 by initiathig 
25 its execution by the plalfbmi*s main processor 27 and by cansingthe TPM lOtounlockfhe 
dyoamic root key and enable its use, for example, to access keys that depend &om it in the 
key hierarchy or to wr^ and-unwrap data presented to the TPM, The RT 20 is analogous 
to the RTM of a trusted platform and may, for example^ be a hardware device or the 
platform as a whole nnrning trusted software. The RT 20 is able to communicate with the 
30 TPM 1 0 in a manner that enables the tPM to believe that the communication came j&om 
the RT 20 (for example, the communication can be passed over a dedicated virtual or 
physical channel 21). 
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The various stages involved in the installation of the dynamic root key 16 (and any 

dependent object MeianJiy) that is associated with iheptotecW 

T>dow with certain of llicse stages beaig ilhistrated i 

5 , 

1- At switchKm of the trusted platfiinn, the TPMlOCdlways) has fhcSR^ atihe 
root of the available key hicaanshy (see Figine 4). 

2. At somepbint, theRT20 determines that tfie protected process 25 associated with 
flie dynamic rootkeyl6 is the next process to execute and either has exclusive 

10 access to the TPM 10 (becaiiae the RT 20 has, for example, cleared aU oUier 

processes fiom mcmoiy), or ai^ existing protected processes wiU not abuse 
infotmation obtained fitan the TPM (for example, theRT 20 may itsclfbca secure- 
cc»nq)artmeat OS wishing to start process 25 in a compartment). 

3. TheRT 20 conqrates a digest oftihe protected process 25. 

15 4. The key object KUl is loaded (using rPM_Loadkey) into the TPM 10 with 
aufliorisation to use the SRK 11; the load command and the related authorisation 
may come from the RT 20 or another element of the platform triggered by the RT 
20. 

5. TheTPM 10 decrypts the key objectKI-l using the SKK'sprivatekey and obtains 
20 the key inside the Kl key object 

6. TTie key object K2-1 (the dynamic root key object 16) is loaded into the TPM 10 
with authorisation to use die nnwiapped key Kl- 1; again, the load command and 
12ie related authorisation may come from the RT 20 or another element of the 
platfoxm triggered by the RT 20 . 

7. TheTPM 10 checks that unwrapped key Kl-1 is anormalkeyby checking its DRK 
flag bit in the KeyFIags structure, and uses the unwrapped private key ofkey ohject 
Kl-1 to decrypt key object K2-1 and obtain the key inside the dynamic root key 
object 16. 

8. TheRT 20 presents a TPM_ActivateDynamicRoot command to the TPM 10 with 
30 authorisation to use the key inside thekcy object K2-1 , tfais authorisation being the 

digest of the protected process 25 asaociatsd with the dynamic root key 1 6 (see 
Figure 4). 
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9. The TPM lO verifies that the TPM^ActivateDyaaonicRoot command came from 
the RT 20 (for example^ by checking the channel on which the command was 
received), and that the key inside the key object K2-1 is a dyoamic root key (by 
checking its DRK flag bit in the KeyFlags structure). 
5 10. The TPM 10 deactivates, but does not tmload or discard, the SRK 1 1 and uses the 
dynamic rootkey 16 jfrom the K2-1 key object as if it were the SRK (see Figure 4). 
In. other wordfe^ the key 1 6 forms the root of a Mcrarciy of data objects, aiid its 
private key never leaves the TPM in plaintext form. Whm the TPM 1 0 loads the 
dynamic root key 16, the TPM unloads any existing keys including any previous 
10 dynamic root key (the SRK 1 1 is, however, retained in the TPM), and invalidates 

any key$ that might have been cached outside the TPM 10 in encrypted form 

Thereafter, the dyaamic root key 1 6 acts as the root of a hierarchy of (external) data objects 
instead of the SRK 1 1 , in respect of the associated protected process 25. One consequence 
15 of this is that it is no longer possible to go hi^erup the key hierarchy 12 than the dynamic 
root key 16 whilst the latter is activated. The TPM 10 continues to use the dynamic root 
key 1 6 instead of the SRK 1 1 until either a new dynaxoic root key is loaded and activated or 
until the TPM 1 0 is restarted. 

20 With the dynamic root key 16 installed, the protected process 25 can be run and can access 
data protected by the key 16 or a key below it in the key hierarchy. 

Furthermore^ as the protected process is now responsible for the trustworthiness of 
processes it nms» it is no longer necessary to use the seal and unseal functions described 
25 ^ve to limit the initiafian of processes to certain states of the platfomi. This is because 
previous history of the protected process is irrelevant to the protections provided by the 
protected process. - 

Aithougji in the foregoing^ only one dynamic root key has bceaiUusiiated as part of the key 
30 hierarchy 12, it will be appreciated that multqjle dynamic keys can be included in the . 
hierarchy. Whether there is one or multiple dynamic root keys, the TPM 10 is preferably 
able to reliably indicate ib& root key that is currently active. This can be done, for example. 
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by having the TPM 10 sign a value associated with liie current root key, uaij^ a TPM 
idfiiitity key. The value that is signed oould be the autiiorisation value of flie dyoamic root 
key but is, preferably, a digest of the authorisation value of the root key concerned. 

5 . 

It wiU be appreciated that mEmy variants srspcsdbic: to the abo r-e desc^^ 

of uic iiivtifttion. Thus, althougti in. me foregoing description, the dynamic root key 16 is 

notmade availableinclcaroutside ofthelTlW; itvvouldbepossibletoprovidefb^ 
16 to be passed to the protected process for use by it, though this is not preferred. 

10 
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CLAIMS 

1 . A tree-stmctured key hierarchy with multiple nodes serving as root nodes dividing the 
5 hieraxchy into diSer:ejxt parts only accessible from corresponding TOOt nodes. 

2* ?xxjct:asmg apparatus comprising a key-handling imit lor handling a tree-structured key 
bieraichy, the key-hand[luig unit being arranged to treat a selected node of the hierarchy as 
the current root node such that those parts of the hieraict^ that can only be reached by 
10 ascent from the cument root node are inaccessible^ the key-handling unit including an 
arrangement for changing the node of the hierarchy serving as said current root node. 

3, Processing apparatus according to claim 2, wherein the arrangement for changing the 
current root node is ^labled to do so only upon a predetemuned set of at least one 

IS condition being met. 

4. Pmcesfiiflg apparatus according to claim 3, wherein at least one predetennincd condition 
comprises the receipt of an anfliCTisation value indicative of digital data. 

20 5. Processing apparatus according to claini 4, wherein said authorisation value is a digest of 
a protected process associated with the node that is intended to be the new current root 
node 

6- Processing apparatus according to claim 4 or claim 5, wherein at least one predetermined 
25 Condition comprises that aprotected process associated with the node that is intended to be 

the new gucrent root node is about to be run by the apparatus. 

7- Processing apparatus according to claim 6, wherein at least on© predetermined condition 
- comprises that any other currently-activated processes running an the ^paratus aire benign. 

30 
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8. ApparatusaccorfmgtoanycneofcMm/^ to 6. wherein at least an. predctennined 
conditioii «,nq>rises that&ekey-ha^dJing ^paratusisreqnested to change fte cuxreotioot 
node by a lOot of trust of the j^jparatus. 

9. Pr^c^sins ^Rparatos according to a«y on^ of daims 2 to 8, wher«in the node at the 
h=>ad of fee hierarchy as judged ^-ithout ^gard to which node is the Jurrcnt loot node, 
fonns said cmrent root node upon start of the jqjparkus. 



10- Processing apparatus according to any one of claims 2 to 9. ^ 
10 umtisarrangedtoholdtfaccuiicntrootnodeintHiiaUyi 
it remains the current root node. 



wherein fhekeybhandliog 
unencrypted form atleastTV*iIst 



15 



11. P"<^toSWaKteaccordingtoanyonepfclaims2tol0.wh^^^ 
unit is airaneed always to hold the node at tiie head of the hierarchy, ' 



regard to which node is the cmrent root nodc^ internally h 



^judged without 



m unencrypted fonu. 



12. 



20 



according to anyone of claims2to 10, whereinihe key-handling 
unit is a Trusted Plalfonn Module aceoniing to the TCPA architecture 

13. Processingapparatasaccoidingtoanycmoofclaims2to U, wherein Ihe key-handling 
unit is ari^ged to indicate the cunent root node by signing a value asiociated wilh the 
node using an identity key associated with the key-handling unit 



14. I^c«»singai^afatusaccordingto<daiml3whendependentonclai^ 
25 Wherein said value associated with Ihe current root node i. the suiiorisation valui 
associated with the node or a digest of that value. 

15. 1'«>c«singapparatusaccordingtoanyoneofclaims2toHwherJth^ 
unit is .6 aa-anged that only a particular type of key node, herein a dju- ^^^y node, 
30 be uised as fe. 



ut.e ^L^x^xit loot node in addition to the> node at the head of 
judged ^thout regard to which node is the current root node. 



can 



the hier^hy as 
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16. Processing apparatus according to claim 15, wherein the key-handling 
apparatus is arranged, upon receipt of a corresponding command, to generate a dynamic 
root node as a node of said key hierarchy. 
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ABSTRACT 

Key Hierarchy and Method and Appai-atns for Handling the Same 

5 

ProcBssmg apparatus, such 33 a trastedplatfoiir^ is provided w'iiiiakey-^^ 
for haridJing a trec-struclrai-ed key MeraKhy (12). Tne key-handiing unit (10) is anangedto 
treat a selected node (16) of the Werarchy as Ihe current root node su^ 
■ the hierarchy (12) that can onty be feached by ascent from the current root node (16) are 
10 inaccessible. The key-handling unit (10) includes an arrangement for changing ftenodc of 
the hierarchy that serves as the cunent root node. Also provided is a tree-strnctwed k»y 
hierarchy with multiple nodes (11,16) serving as root nodes dividing die hierarchy into 
di£fereat parts only accessible from coiresponding root nodes. 

15 (Figured) 
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Figure 4 
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